computer security lecture 10 - linköping university...at bob, k bt 1: id a jj id b jjr 1 2: e k at...
TRANSCRIPT
![Page 1: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/1.jpg)
Computer security lecture 10Key management
Jan-Ake Larsson
![Page 2: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/2.jpg)
Cryptography
• A security tool, not a general solution
• Cryptography usually converts a communication security problem intoa key management problem
• So now you must take care of the key security problem, whichbecomes a problem of computer security
![Page 3: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/3.jpg)
Key management
Trent Grant
Cliff
Serge
The problem is to
• generate
• distribute
• store
• use
• revoke
the key in a secure way
![Page 4: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/4.jpg)
Key generation
• The key size decides how many different keys you can have, the searchspace for exhaustive key search
• If keys are not chosen at random, the attacker can first try more likelykeys
• If all bit combinations are not used, security is given by the number ofpossible keys, not the size in bits
• If keys are generated from a known random seed, the size of that seeddecides the security
![Page 5: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/5.jpg)
Key length
![Page 6: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/6.jpg)
Key length
Table 7.1: Minimum symmetric key-size in bits for various attackers
Attacker Budget Hardware Min security (1996)“Hacker” 0 PC 53 45
< $400 PC(s)/FPGA 58 500 ”Malware” 73
Small organization $10k PC(s)/FPGA 64 55Medium organization $300k FPGA/ASIC 68 60Large organization $10M FPGA/ASIC 78 70Intelligence agency $300M ASIC 84 75
From “ECRYPT II Yearly Report on Algorithms and Keysizes (2009-2010)”
![Page 7: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/7.jpg)
Key length
Table 7.1: Minimum symmetric key-size in bits for various attackers
Attacker Budget Hardware Min security (1996)“Hacker” 0 PC 58 45
< $400 PC(s)/FPGA 63 500 ”Malware” 77
Small organization $10k PC(s)/FPGA 69 55Medium organization $300k FPGA/ASIC 69 60Large organization $10M FPGA/ASIC 78 70Intelligence agency $300M ASIC 84 75
From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”
![Page 8: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/8.jpg)
Key establishment and authentication
Trent Grant
Cliff
Serge
• Once upon a time, protocolsestablishing a session key wascalled authentication protocols
• This is no longer the case
• Kerberos (to the left) is knownmainly as an authenticationprotocol
• The end result is anauthorization ticket thatcontains a “session key”
![Page 9: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/9.jpg)
Key Management
• The first key in a new connection orassociation is always delivered via acourier
• Once you have a key, you can use thatto send new keys
• If Alice shares a key with Trent andTrent shares a key with Bob, thenAlice and Bob can exchange a key viaTrent (provided they both trust Trent)
![Page 10: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/10.jpg)
Key distribution center
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can exchange a key via Trent (provided they both trustTrent)
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
![Page 11: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/11.jpg)
Key distribution center
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can exchange a key via Trent (provided they both trustTrent)
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(ID
B||K
AB)
![Page 12: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/12.jpg)
Key distribution center
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can exchange a key via Trent (provided they both trustTrent)
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(ID
B||K
AB) 2:
EKBT (ID
A ||KAB )
![Page 13: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/13.jpg)
Key distribution center, key server
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can receive a key from Trent (provided they both trustTrent)
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(ID B
)
![Page 14: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/14.jpg)
Key distribution center, key server
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can receive a key from Trent (provided they both trustTrent)
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(ID B
)
2:E K
AT(ID
B||K
AB)
2:EKBT (ID
A ||KAB )
![Page 15: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/15.jpg)
Key distribution center
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can exchange a key via Trent (provided they both trustTrent)
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(ID
B||K
AB) 2:
EKBT (ID
A ||KAB )
![Page 16: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/16.jpg)
Key distribution center, replay attacks
• But perhaps Eve has broken a previously used key, and interceptsAlice’s request
• Then she can fool Bob into communicating with her
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
Eve
1: EKAT
(IDB||KAB
)
![Page 17: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/17.jpg)
Key distribution center, replay attacks
• But perhaps Eve has broken a previously used key, and interceptsAlice’s request
• Then she can fool Bob into communicating with her
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
Eve
1: EKAT
(IDB||KAB
)2: old E
KBT (ID
A ||KAB )
![Page 18: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/18.jpg)
Key distribution center, wide-mouthed frog
• Alice and Trent add time stamps to prohibit the attack
• But now, Eve can pretend to be Bob and make a request to Trent
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(t A||ID
B||K
AB
)
![Page 19: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/19.jpg)
Key distribution center, wide-mouthed frog
• Alice and Trent add time stamps to prohibit the attack
• But now, Eve can pretend to be Bob and make a request to Trent
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:E K
AT(t A||ID
B||K
AB
) 2:EKBT (t
T ||IDA ||K
AB )
![Page 20: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/20.jpg)
Key distribution center, wide-mouthed frog
• Alice and Trent add time stamps to prohibit the attack
• But now, Eve can pretend to be Bob and make a request to Trent
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
Eve
1:E K
AT(t A||ID
B||K
AB
) 2:EKBT (t
T ||IDA ||K
AB )
3: EKBT (tT ||ID
A ||KAB )
![Page 21: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/21.jpg)
Key distribution center, wide-mouthed frog
• Alice and Trent add time stamps to prohibit the attack
• But now, Eve can pretend to be Bob and make a request to Trent,who will forward the key to Alice
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
Eve
1:E K
AT(t A||ID
B||K
AB
) 2:EKBT (t
T ||IDA ||K
AB )
3: EKBT (tT ||ID
A ||KAB )
4:E K
AT(t′T||ID
B||K
AB)
![Page 22: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/22.jpg)
Key distribution center, Needham-Schroeder key agree-ment
• Another variation is to use nonces to prohibit the replay attack
• If Eve ever breaks one session key, she can get Bob to reuse it
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:IDA||ID
B||r 1
![Page 23: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/23.jpg)
Key distribution center, Needham-Schroeder key agree-ment
• Another variation is to use nonces to prohibit the replay attack
• If Eve ever breaks one session key, she can get Bob to reuse it
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:IDA||ID
B||r 1
2: EKAT(KS ||IDB ||r1||EKBT
(KS ||IDA))
![Page 24: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/24.jpg)
Key distribution center, Needham-Schroeder key agree-ment
• Another variation is to use nonces to prohibit the replay attack
• If Eve ever breaks one session key, she can get Bob to reuse it
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:IDA||ID
B||r 1
2: EKAT(KS ||IDB ||r1||EKBT
(KS ||IDA))
3: EKBT(KS ||IDA)
![Page 25: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/25.jpg)
Key distribution center, Needham-Schroeder key agree-ment
• Another variation is to use nonces to prohibit the replay attack
• If Eve ever breaks one session key, she can get Bob to reuse it
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:IDA||ID
B||r 1
2: EKAT(KS ||IDB ||r1||EKBT
(KS ||IDA))
3: EKBT(KS ||IDA)
4: EKS(r2)
![Page 26: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/26.jpg)
Key distribution center, Needham-Schroeder key agree-ment
• Another variation is to use nonces to prohibit the replay attack
• If Eve ever breaks one session key, she can get Bob to reuse it
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBT
1:IDA||ID
B||r 1
2: EKAT(KS ||IDB ||r1||EKBT
(KS ||IDA))
3: EKBT(KS ||IDA)
4: EKS(r2)
5: EKS(r2 − 1)
![Page 27: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/27.jpg)
Key distribution center, Needham-Schroeder key agree-ment
• Another variation is to use nonces to prohibit the replay attack
• If Eve ever breaks one session key, she can get Bob to reuse it
TrentKey distribution center
KAT ,KBT
Alice, KAT Bob, KBTEve
1: EKBT(KS ||IDA)
2: EKS(r2)
3: EKS(r2 − 1)
![Page 28: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/28.jpg)
Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1. Cliff sends Trent IDC ||IDG
2. Trent responds width EKC(KCG )||TGT
where TGT = IDG ||EKG(IDC ||t1||KGC )
3. Cliff sends Grant EKCG(IDC ||t2)||TGT
4. Grant responds with EKCG(KCS)||ST
where ST = EKS(IDC ||t3||texpir.||KCS)
5. Cliff sends Serge EKCS(IDC ||t4) and can
then use Serge’s services
![Page 29: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/29.jpg)
Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1 1. Cliff sends Trent IDC ||IDG
2. Trent responds width EKC(KCG )||TGT
where TGT = IDG ||EKG(IDC ||t1||KGC )
3. Cliff sends Grant EKCG(IDC ||t2)||TGT
4. Grant responds with EKCG(KCS)||ST
where ST = EKS(IDC ||t3||texpir.||KCS)
5. Cliff sends Serge EKCS(IDC ||t4) and can
then use Serge’s services
![Page 30: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/30.jpg)
Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2
1. Cliff sends Trent IDC ||IDG
2. Trent responds width EKC(KCG )||TGT
where TGT = IDG ||EKG(IDC ||t1||KGC )
3. Cliff sends Grant EKCG(IDC ||t2)||TGT
4. Grant responds with EKCG(KCS)||ST
where ST = EKS(IDC ||t3||texpir.||KCS)
5. Cliff sends Serge EKCS(IDC ||t4) and can
then use Serge’s services
![Page 31: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/31.jpg)
Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
1. Cliff sends Trent IDC ||IDG
2. Trent responds width EKC(KCG )||TGT
where TGT = IDG ||EKG(IDC ||t1||KGC )
3. Cliff sends Grant EKCG(IDC ||t2)||TGT
4. Grant responds with EKCG(KCS)||ST
where ST = EKS(IDC ||t3||texpir.||KCS)
5. Cliff sends Serge EKCS(IDC ||t4) and can
then use Serge’s services
![Page 32: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/32.jpg)
Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
4 1. Cliff sends Trent IDC ||IDG
2. Trent responds width EKC(KCG )||TGT
where TGT = IDG ||EKG(IDC ||t1||KGC )
3. Cliff sends Grant EKCG(IDC ||t2)||TGT
4. Grant responds with EKCG(KCS)||ST
where ST = EKS(IDC ||t3||texpir.||KCS)
5. Cliff sends Serge EKCS(IDC ||t4) and can
then use Serge’s services
![Page 33: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/33.jpg)
Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
4
5
1. Cliff sends Trent IDC ||IDG
2. Trent responds width EKC(KCG )||TGT
where TGT = IDG ||EKG(IDC ||t1||KGC )
3. Cliff sends Grant EKCG(IDC ||t2)||TGT
4. Grant responds with EKCG(KCS)||ST
where ST = EKS(IDC ||t3||texpir.||KCS)
5. Cliff sends Serge EKCS(IDC ||t4) and can
then use Serge’s services
![Page 34: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/34.jpg)
Kerberos realms
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
4
5
• Contains one authentication server (KAS),several authorization servers (TGS), andmany services
• Distributed system, with centralized accesscontrol, a single security policy that is easy tocheck, and change
• A realm often corresponds to a singleorganization, and several realms can beconnected
• This often is controlled by trust (sharedkeys), but also other considerations likecontractual agreements
![Page 35: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/35.jpg)
Controlled invocation in distributed systems
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
4
5
• The remote program (subject) needs to acton behalf of the user (principal)
• In Windows AD (∼Kerberos), this can be
done in two ways
• “Proxy tickets” that are limited inthe access rights, e.g., to one file forprinting it
• “Forwarded TGTs” that can be usedto apply for new tickets on behalf ofthe user
• The latter is like lending out your passwordfor the duration of the ticket
![Page 36: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/36.jpg)
Revocation in Kerberos
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
4
5
• The access rights of the principal needs tobe revoked at the TGS
• But issued tickets continue to be validuntil they expire (TOCTTOU)
• Typically, KAS tickets is vaild for a day
• There is a tradeoff between convenience(long validity) and fast revocation (shortvalidity)
![Page 37: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/37.jpg)
Kerberos, more comments
TrentKC ,KG
GrantKG ,KS
CliffKC
SergeKS
1
2 3
4
5
Lots of technical details:
• Clock sync
• Timestamp skew window
• Online servers (Availability)
• Trusting servers
• Password security
• Client machine security
• DOSing the KAS
• . . .
![Page 38: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/38.jpg)
Public key distribution, Diffie-Hellmann
• Diffie-Hellman key exchange is a way to share key
• Alice and Bob create secrets a and b
• They send αa mod p and αb mod p to each other
• Both calculate KAB = (αa)b = (αb)a mod p
TrentKey distribution center
KAT ,KBT
Alice, a,KAT Bob, b,KBT
αa mod p
αb mod p
![Page 39: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/39.jpg)
Public key distribution, Diffie-Hellmann
• Diffie-Hellman key exchange is a way to share key
• Alice and Bob create secrets a and b
• They send αa mod p and αb mod p to each other
• Both calculate KAB = (αa)b = (αb)a mod p
TrentKey distribution center
KAT ,KBT
Alice, a,KAT Bob, b,KBT
αa mod p
αb mod pKAB = (αb)a KAB = (αa)b
![Page 40: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/40.jpg)
Public key distribution, Diffie-Hellmann
• Diffie-Hellman key exchange is a way to share key
• However, Eve can do an “intruder-in-the-middle”
TrentKey distribution center
KAT ,KBT
Alice, a,KAT Bob, b,KBTEve
αa mod p
αe mod p
αe mod p
αb mod p
![Page 41: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/41.jpg)
Public key distribution, Station-To-Station (STS) protocol
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can use Trent to verify that they exchange key with theright person
TrentKey distribution center
KAT ,KBT
Alice, a,KAT Bob, b,KBT
αa, EKAB(sigA(αa,αb))
αb, EKAB(sigB(αa,αb))
![Page 42: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/42.jpg)
Public key distribution, Station-To-Station (STS) protocol
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can use Trent to verify that they exchange key with theright person
TrentKey distribution center
KAT ,KBT
Alice, a,KAT Bob, b,KBT
αa, EKAB(sigA(αa,αb))
αb, EKAB(sigB(αa,αb))
ver B
? verA ?
![Page 43: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/43.jpg)
Public key distribution, Station-To-Station (STS) protocol
• If Alice shares a key with Trent and Trent shares a key with Bob, thenAlice and Bob can use Trent to verify that they exchange key with theright person
TrentKey distribution center
KAT ,KBT
Alice, a,KAT Bob, b,KBT
αa, EKAB(sigA(αa,αb))
αb, EKAB(sigB(αa,αb))
ver B
? verA ?
ver B
verA
![Page 44: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/44.jpg)
Public key distribution
• Public key distribution uses a Public Key Infrastructure (PKI)
• Alice sends a request to a Certification Authority (CA) who respondswith a certificate, ensuring that Alice uses the correct key tocommunicate with Bob
TrentCertification Authority
sT , {ei}
Alice, vT , dA Bob, vT , dB
![Page 45: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/45.jpg)
Public key distribution, using Certification Authorities
• Public key distribution uses a Public Key Infrastructure (PKI)
• Alice sends a request to a Certification Authority (CA) who respondswith a certificate, ensuring that Alice uses the correct key tocommunicate with Bob
TrentCertification Authority
sT , {ei}
Alice, vT , dA Bob, vT , dB
1:IDB
2:e B
, sign T
(IDB, e
B)
![Page 46: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/46.jpg)
Public key distribution, using X.509 certificates
• The CAs often are commercial companies, that are assumed to betrustworthy
• Many arrange to have the root certificate packaged with IE, Mozilla,Opera,. . .
• They issue certificates for a fee
• They often use Registration Authorities (RA) as sub-CA for efficiencyreasons
• This creates a “certificate chain”
![Page 47: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/47.jpg)
The content of a X.509 certificate
Version (v3)Serial NumberAlgorithm IDIssuerValidity PeriodSubject NameSubject Public Key Info (Algorithm, Public Key)Issuer Unique Identifier (optional)Subject Unique Identifier (optional)Extensions (optional)Certificate Signature AlgorithmCertificate Signature
![Page 48: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/48.jpg)
Revocation
• Certificate Revocation Lists distributed at regular intervals is theproposed solution in X.509
• On-line checks are better, but can be expensive
• Short-lived certificates are an alternative, but needs frequentcertificate changes
• And the CAs themselves are not the best examples of trustworthyorganizations
![Page 49: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/49.jpg)
Public key distribution, X.509 (PKIX) certificates in yourbrowser
![Page 50: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/50.jpg)
Public key distribution, using web of trust
Alice
Bob
Charlie
Diana
Eric
Fred
• No central CA
• Users sign each other’s public key(hashes)
• This creates a “web of trust”
• Each user keeps a keyring with thekeys (s)he has signed
• The secret key is stored on a secretkeyring, on h{er,is} computer
• The public key(s) and theirsignatures are uploaded to keyservers
![Page 51: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/51.jpg)
Public key distribution, using web of trust (PGP and GPG)
Alice
Bob
Charlie
Diana
Eric
Fred
• No central CA
• Users sign each other’s public key(hashes)
• This creates a “web of trust”
• Each user keeps a keyring with thekeys (s)he has signed
• The secret key is stored on a secretkeyring, on h{er,is} computer
• The public key(s) and theirsignatures are uploaded to keyservers
![Page 52: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/52.jpg)
Public key distribution, a web-of-trust path
![Page 53: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/53.jpg)
Secure Sockets Layer (SSL); Transport Layer Security (TLS)
• This is a client-server handshake procedure to establish key
• The server (but not the client) is authenticated (by its certificate)
Client Server
![Page 54: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/54.jpg)
Secure Sockets Layer (SSL); Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public keysystems + symmetric key systems + hash functions + compressionalgorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) randomnumber, system choices, public key
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
(Master secret): creation of master secret using a pseudorandom function, with thePreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for thetwo directions of communication
ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for theprevious handshake messages
Client Server
ClientHello
![Page 55: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/55.jpg)
Secure Sockets Layer (SSL); Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public keysystems + symmetric key systems + hash functions + compressionalgorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) randomnumber, system choices, public key
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
(Master secret): creation of master secret using a pseudorandom function, with thePreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for thetwo directions of communication
ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for theprevious handshake messages
Client Server
ClientHello
ServerHello,. . .
![Page 56: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/56.jpg)
Secure Sockets Layer (SSL); Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public keysystems + symmetric key systems + hash functions + compressionalgorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) randomnumber, system choices, public key
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
(Master secret): creation of master secret using a pseudorandom function, with thePreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for thetwo directions of communication
ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for theprevious handshake messages
Client Server
ClientHello
ServerHello,. . .
ClientKeyExchange
![Page 57: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/57.jpg)
Secure Sockets Layer (SSL); Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public keysystems + symmetric key systems + hash functions + compressionalgorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) randomnumber, system choices, public key
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
(Master secret): creation of master secret using a pseudorandom function, with thePreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for thetwo directions of communication
ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for theprevious handshake messages
Client Server
ClientHello
ServerHello,. . .
ClientKeyExchange
![Page 58: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/58.jpg)
Secure Sockets Layer (SSL); Transport Layer Security (TLS)
ClientHello: highest TLS protocol version, random number, suggested public keysystems + symmetric key systems + hash functions + compressionalgorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) randomnumber, system choices, public key
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
(Master secret): creation of master secret using a pseudorandom function, with thePreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for thetwo directions of communication
ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for theprevious handshake messages
Client Server
ClientHello
ServerHello,. . .
ClientKeyExchange
. . . ,Finished
![Page 59: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/59.jpg)
Secure Sockets Layer (SSL) and Transport Layer Security(TLS)
Client Server
ClientHello
ServerHello,. . .
ClientKeyExchange
. . . ,Finished
• SSL 1.0 (no public release), 2.0 (1995), 3.0 (1996), originally byNetscape
• TLS 1.0 (1999), TLS 1.1 (2006), TLS 1.2 (2008), and some laterchanges
• Current problem: TLS 1.0 is fallback if either end does not supporthigher versions
![Page 60: Computer security lecture 10 - Linköping University...AT Bob, K BT 1: ID A jj ID B jjr 1 2: E K AT (K SjjID Bjjr1jjE K BT (K SjjID A)) Key distribution center, Needham-Schroeder key](https://reader033.vdocument.in/reader033/viewer/2022043013/5fac87ef3d5582547c527ee4/html5/thumbnails/60.jpg)
Key management
Trent Grant
Cliff
Serge
The problem is to
• generate
• distribute
• store
• use
• revoke
the key in a secure way